How To Check Exchange Autodiscover SRV Record Using Nslookup

https://blogs.technet.microsoft.com/rmilne/2014/10/02/how-to-check-exchange-autodiscover-srv-record-using-nslookup/

enerally the Exchange external Autodiscover DNS entity is configured as a regular A record.  Sometimes a service record (SRV) is used instead.  Since I have the habit of forgetting the syntax of quickly querying for the SRV record, this is one of those shared bookmark posts!

Nslookup is the tool of choice here!  Its documentation can be found on TechNet.

There are two ways to run nslookup – interactive and noninteractive.  Noninteractive is good when you know that you only want to query a single piece of data.   Let’s take a peek at an example of each.  We will check for the _autodiscover SRV record in the Tailspintoys.ca domain.  The record points to a host called autod.tailspintoys.ca.  The full format of this record is:

_autodiscover._tcp.tailspintoys.ca

For more reading on SRV records, take a peek at this article.  And for Autodiscover in general please review this post.

Nslookup – Noninteractive

Open a cmd prompt and run

nslookup -q=srv _autodiscover._tcp.tailspintoys.ca

You should see the below output.  Note that the svr hostname will be the Autodiscover target.

Using Nslookup In NonInteractive Mode To Query For Exchange Autodisocver SRV Record

In this example we launched Nslookup in noninteractive mode.  The query type is set to SRV and then we checked for the_autodiscover._tcp.tailspintoys.ca record.

Nslookup – Interactive

Open a cmd prompt and run:

  1. nslookup
  2. set q=srv
  3. _autodiscover._tcp.tailspintoys.ca

Using Nslookup In Interactive Mode To Query For Exchange Autodisocver SRV Record

In this example we launched Nslookup in interactive mode, so we can interact with it.  The query type is set to SRV and then we checked for the _autodiscover._tcp.tailspintoys.ca record.

Reference – Autodiscover Exchange SRV Record Configuration

For reference purposes, the steps to add an Autodiscover SRV record will be something like the below.  They are intended to be general so please follow any specific notes or items for the DNS registrar you are using!

In your DNS zone editor add a SRV record with the following information:

  • Service _autodiscover

  • Protocol _tcp

  • Name   Enter one of the following values:

    • Enter @ if your registered domain is your cloud-based domain. For example, if your registered domain is contoso.com and your cloud-based domain is contoso.com, enter @.

    • Enter the subdomain name if your cloud-based domain is a subdomain of your registered domain. For example, if your registered domain is contoso.com, but your cloud-based domain is the subdomain test.contoso.com, enter test.

  • Priority 10  (or as per your design)

  • Weight 10  (or as per your design)

  • Port 443

  • Target server.contoso.com   (in the example above this was autod.tailspintoys.ca)

  • TTL   Verify that an appropriate TTL is selected, 1 hour is a common default.  (If you are approaching a migration, this should be decremented to allow for quicker cutover)

In addition to the SRV record pointing us to the correct location, we also have to ensure that there is a valid certificate installed which is published to the Internet.  This could be something as simple as a NAT rule with the appropriate firewall rule for TCP 443 or it could involve TMG or a load balancer’s APM.

The choice as they say – is yours!!

Cheers,

Rhoderick

Providing Email Outlook client autoconfiguration information

http://web.archive.org/web/20120828065248/http://moens.ch/2012/05/31/providing-email-client-autoconfiguration-information/

http://serverfault.com/questions/244660/is-there-a-way-to-use-the-autodiscover-feature-without-exchange

https://github.com/Tiliq/autodiscover.xml/tree/master/views

If you’ve ever configured a gmail or hotmail account in a mail client such as Thunderbird, Outlook or Apple Mail you will have noticed that all it asks of you is your username and password and automatically sets up the mail server hostnames, port numbers and connection settings. However, if you set up an email account hosted on your own mail server run on non-proprietary your mail client – at best – tries to make an educated guess as to what your SMTP and IMAP servers are. If you follow certain standards (e.g. calling your SMTP server smtp.maildomain.com) this might work out, however, if you do not (and got reasons to do so), you find yourself constantly having to manually enter information.

Auto configuration is most handy though if third parties are using your mail server too. It saves you the hassle of bringing up FAQ pages on your website explaining your users how to set up their account. With auto configuration they just enter their username and password – and everything will (should) work.

I found documentation on this for all things except Thunderbird is scarce on the internet and you only find individual bits and pieces. I took an afternoon to set up my mail server to support auto configuration for most well known mail clients.

Before you can start

Before you begin you have to gather the following pieces of information:

  • Incoming mail server
    • Hostname
    • Protocol (IMAP or POP3)
    • Whether SSL is available or not
    • Port number (IMAP: 143, IMAPs: 993, POP3: 110, POP3s: 995)
    • Username format (full email address or just the local part)
    • Password mechanism (plain or encrypted)
  • Outgoing mail server
    • Hostname
    • Port number (most likely 587. If your SMTP server still only listens on port 25 many people will have troubles connecting as ISPs around the world started blocking this port. Enable the submission port 587, which on postfix for example is up by default)
    • Whether SSL or STARTTLS should be used
    • Username format
    • Password mechanism

In essence

All mail clients – in essence – perform auto configuration or auto discovery in a similar way. Mostly they request an XML file from a specific location which contains the information they need. It is up to you to put that XML file at exactly the location they expect and follow the format they expect it to be in. The only client which doesn’t seem to do that is Mail on iOS (iPhone, iPod and iPad). No worry though, I found a solution for that too.

Mozilla Thunderbird

The process for email server admins to provide auto configuration for Thunderbird is actually very well documented here. I summarize:

Thunderbird assumes that everything after the @-sign of the username you entered is your email domain. If the user enters fred@example.com, the email domain will be example.com. It then looks for a configuration file at http://autoconfig.example.com/mail/config-v1.1.xml to find the settings for this domain. You can find the authoritative description of this XML file here.

The format allows you to specify more than on server of each type (incoming and outcoming). For example my IMAP server is available on port 143 using STARTTLS and on 993 using IMAPs. The live example for my domain mylansite.org can be found here: http://autoconfig.mylansite.org/mail/config-v1.1.xml.

In my case, the username is the full email address. Hence you will find this in my configuration file:

<username>%EMAILADDRESS%</username>

If on your server only the local part of the email address (the string before the @-sign) is used for authentication, use the token %EMAILLOCALPART%.

Now all you have to do is set up your config file, create a vhost on your webserver for autoconfig.yourdomain.com, place the config-v1.1.xml file in the /mail subfolder and bob’s your uncle. If you are hosting multiple email domains, theThunderbird Autoconfiguration documentation contains a brilliant example for how to set up an Apache rewrite rule to automatically match on all host names called autoconfig.*.

Microsoft Outlook

This is where things started to get tricky as documentation was scarce. Outlook works brilliantly when connecting to an Exchange server, tt figures out everything it needs to know, but how to make use of this mechanism you wonder? Well, wonder no longer. It isn’t as simple as the Thunderbird implementation, but the concept is very similar.

Outlook performs an HTTP POST request to https://autodiscover.emaildomain.com/autodiscover/autodiscover.xml with the following content:

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
  <Request>
    <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
    <EMailAddress>fred@emaildomain.com</EMailAddress>
  </Request>
</Autodiscover>

There is some decent documentation in this MS TechNet article on how to format the response. To very quickly cut to the chase, you can find my example here with the minimum required to set up a simple email account. You will notice that the <LoginName> is blank. I’ll get to that in a minute: https://ns2.samhostuk.net/autodiscover/autodiscover.xml

Remember that this POST request will go via HTTPs and not HTTP. You don’t want to have different SSL certificates for each email domain you are hosting, each matching autodiscover.emaildomain.com (also considering that Apache cannot have name based virtual hosts with different SSL certs). There is a very elegant way to solve this:

Outlook first does a DNS lookup for a SRV record at _autodiscover._tcp.emaildomain.com to find the address of the autodiscover server. This record should have the following format:

0 0 443 ssl.mailprovider.com

This means that instead of looking for the XML file at https://autodiscover.emaildomain.com/autodiscover/autodiscover.xml, Outlook will now look at https://ssl.mailprovider.com/autodiscover/autodiscover.xml. If you are running bind, the entry in your zone file will look somewhat like this:

_autodiscover._tcp      SRV       0 0 443 ns2.samhostuk.net.

If you want to test your record before going through the pain of firing up your Outlook client, run something like:

#> dig +short -t SRV _autodiscover._tcp.mydomain.com

This also means you do not have to set up an autodiscover subdomain for each email domain you host. You still however have to add this SRV record to each email domain’s DNS zone.

Getting the user’s email address in the response XML

I have found no documentation on valid tokens you can use in the response XML such as the %EMAILADDRESS% token honored by Thunderbird. This means it’s up to you to populate the <LoginName> element on the server side. Fortunately, the client just posted it to you, so all you have to do is extract it from the POST data and print it into the output XML. PHP is my language of choice, but you can implement a similar solution in your preferred server side scripting language.

First, you need to tell Apache that .xml files should be sent through the PHP interpreter. Locate the <VirtualHost> directive for your SSL host (on my Ubuntu install it’s in /etc/apache/sites-available/default-ssl) and add the following line:

AddType application/x-httpd-php .php .php3 .php4 .php5 .xml

Save your config and reload Apache.

Then, edit your autodiscover.xml file and add some magic. Here is what mine looks like (I am a believer that for this simple search, a preg_match is quicker than a full XML parse):

<?php
$raw = file_get_contents('php://input');
$matches = array();
preg_match('/<EMailAddress>(.*)<\/EMailAddress>/', $raw, $matches);
header('Content-Type: application/xml');
?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>myLANsite</DisplayName>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>IMAP</Type>
        <Server>ns2.samhostuk.net</Server>
        <Port>993</Port>
        <DomainRequired>off</DomainRequired>
        <SPA>off</SPA>
        <SSL>on</SSL>
        <AuthRequired>on</AuthRequired>
        <LoginName><?php echo $matches[1]; ?></LoginName>
      </Protocol>
      <Protocol>
        <Type>SMTP</Type>
        <Server>ns2.samhostuk.net</Server>
        <Port>465</Port>
        <DomainRequired>off</DomainRequired>
        <SPA>off</SPA>
        <SSL>on</SSL>
        <AuthRequired>on</AuthRequired>
        <LoginName><?php echo $matches[1]; ?></LoginName>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>

To test your script, save a copy of the Autodiscover XML Request above into a local file called req.xml and then execute the below command to execute the request and validate the response:

cat req.xml | lwp-request -m POST https://autodiscover.mymaildomain.com/autodiscover/autodiscover.xml

If your _autodiscover._tcp SRV record and the autodiscover.xml file are correctly in place, Outlook users will be able to set up their email accounts absolutely hassle free.

Apple Mail on iOS (iPhone, iPod, iPad)

The Mail App on iOS works differently to Outlook at Thunderbird. It does not perform any lookups to discover settings. It’s got the built-in presets for providers such as Hotmail and Gmail, but makes not attempt to look up settings for any other mail domains. However, there is a way – through profiles. If you’ve got a Mac you’re in luck. If you have not, ask a friend with a Mac to lend it to you for five minutes

Saving copies of all email using Exim

https://www.devco.net/archives/2006/03/24/saving_copies_of_all_email_using_exim.php

I’ve often seen questions on lists by people who want to save all incoming and outgoing mail on a specific server in an archive, this is usually due to some auditor requesting it or corporate legal types requesting it.

The Exim documentation says it can be done but does not give examples neither does any of the two Exim books, the mailing lists are short of working examples and Google does not help either! Eventually came across a russian language site that had a working setup so I figured I’d document it here in English.

The basic idea is I want a maildir made that has sub folders for each user containing incoming and outgoing mail.

You’ll need to use 2 types of Exim configuration, one being a System Filter and one being a Shadow Transport.

Handling outgoing mail is done using the system filter, I’ll set this up to only affect mail matching domain.com. In the main Exim configuration configure the basics of system wide filters by simply adding the following to the top section:

system_filter = /etc/exim/systemfilter.txt
system_filter_directory_transport = local_copy_outgoing

This defines the file where the filter will live as well as a transport that will be used to delivery the mails created by the filter. You could potentially use one of your existing transports, I like using a separate one for clarity, in your transports section add the local_copy_outgoing:

local_copy_outgoing:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
group = exim
user = exim
mode = 0660
maildir_format = true
create_directory = true

NOTE: This is using user exim and group exim, you want to adjust it for your local needs.

Now simply create the filter in /etc/exim/systemfilter.txt:

if $sender_address_domain is domain.com
then
unseen save /var/mail/domain.com/mailarchive/.${tr{$sender_address}{.}{_}}.outgoing/
endif

This filter will save the mail in a maildir under /var/mail/domain.com/mailarchive/ the mailbox for a name.surname@domain.com user will be name_surname@domain_com.outgoing using this format means most IMAP clients will display it nicely since .’s tend to confuse them a bit. You can adjust this to taste.

Incoming mail is easier, Exim provides a shadow_transport facility that lets you call another transport for each local delivery, this transport will get a copy of the mail and its result won’t affect the further deliver of the actual email, perfect for calling vacation type commands or doing this kind of mail copying.

My needs are only for intercepting mail that reaches the Maildir’s so I’ll only need to hook into myaddress_directory transport, if you have other needs like intercepting actual real unix account emails then you can hook into the local_delivery transport using the same method. My address_directory transport looks like the one below, the last 2 lines are the important ones.

address_directory:
driver = appendfile
create_directory
delivery_date_add
directory_mode = 770
envelope_to_add
maildir_format
return_path_add
shadow_transport = local_copy_incoming
shadow_condition = ${if eq {$domain}{domain.com}{yes}{no}}

This calls a transport called local_copy_incoming to deliver the copy of the email, just add the following into your transports again adjusting user id, group id and file paths to your liking. This will do the file name expansion in a similar format I’m just using a slightly more complex form of the text replace here as a different example of things you can do, end result is the same.

local_copy_incoming:
driver = appendfile
directory = /var/mail/domain.com/mailarchive/ \
.${tr {$local_part}{.}{_}}@${tr {$domain}{.}{_}}.incoming/
delivery_date_add
envelope_to_add
return_path_add
group = exim
user = exim
mode = 0660
maildir_format = true
create_directory = true

NOTE: The above line that ends in “\” is a continuation onto the next, remove the “\” and join the two lines in your config.

You can now restart your Exim server, if you’ve done it all right and created the main Maildir where this all live under your incoming and outgoing mail for domain.com will all be saved on a per user basis.

5 Common Server Setups For Your Web Application

https://www.digitalocean.com/community/tutorials/5-common-server-setups-for-your-web-application

Introduction

When deciding which server architecture to use for your environment, there are many factors to consider, such as performance, scalability, availability, reliability, cost, and ease of management.

Here is a list of commonly used server setups, with a short description of each, including pros and cons. Keep in mind that all of the concepts covered here can be used in various combinations with one another, and that every environment has different requirements, so there is no single, correct configuration.

1. Everything On One Server

The entire environment resides on a single server. For a typical web application, that would include the web server, application server, and database server. A common variation of this setup is a LAMP stack, which stands for Linux, Apache, MySQL, and PHP, on a single server.

Use Case: Good for setting up an application quickly, as it is the simplest setup possible, but it offers little in the way of scalability and component isolation.

Everything On a Single Server

Pros:

  • Simple

Cons:

  • Application and database contend for the same server resources (CPU, Memory, I/O, etc.) which, aside from possible poor performance, can make it difficult to determine the source (application or database) of poor performance
  • Not readily horizontally scalable

Related Tutorials:

2. Separate Database Server

The database management system (DBMS) can be separated from the rest of the environment to eliminate the resource contention between the application and the database, and to increase security by removing the database from the DMZ, or public internet.

Use Case: Good for setting up an application quickly, but keeps application and database from fighting over the same system resources.

Separate Database Server

Pros:

  • Application and database tiers do not contend for the same server resources (CPU, Memory, I/O, etc.)
  • You may vertically scale each tier separately, by adding more resources to whichever server needs increased capacity
  • Depending on your setup, it may increase security by removing your database from the DMZ

Cons:

  • Slightly more complex setup than single server
  • Performance issues can arise if the network connection between the two servers is high-latency (i.e. the servers are geographically distant from each other), or the bandwidth is too low for the amount of data being transferred

Related Tutorials:

3. Load Balancer (Reverse Proxy)

Load balancers can be added to a server environment to improve performance and reliability by distributing the workload across multiple servers. If one of the servers that is load balanced fails, the other servers will handle the incoming traffic until the failed server becomes healthy again. It can also be used to serve multiple applications through the same domain and port, by using a layer 7 (application layer) reverse proxy.

Examples of software capable of reverse proxy load balancing: HAProxy, Nginx, and Varnish.

Use Case: Useful in an environment that requires scaling by adding more servers, also known as horizontal scaling.

Load Balancer

Pros:

  • Enables horizontal scaling, i.e. environment capacity can be scaled by adding more servers to it
  • Can protect against DDOS attacks by limiting client connections to a sensible amount and frequency

Cons:

  • The load balancer can become a performance bottleneck if it does not have enough resources, or if it is configured poorly
  • Can introduce complexities that require additional consideration, such as where to perform SSL termination and how to handle applications that require sticky sessions
  • The load balancer is a single point of failure; if it goes down, your whole service can go down. A high availability (HA) setup is an infrastructure without a single point of failure. To learn how to implement an HA setup, you can read this section of How To Use Floating IPs.

Related Tutorials:

4. HTTP Accelerator (Caching Reverse Proxy)

An HTTP accelerator, or caching HTTP reverse proxy, can be used to reduce the time it takes to serve content to a user through a variety of techniques. The main technique employed with an HTTP accelerator is caching responses from a web or application server in memory, so future requests for the same content can be served quickly, with less unnecessary interaction with the web or application servers.

Examples of software capable of HTTP acceleration: Varnish, Squid, Nginx.

Use Case: Useful in an environment with content-heavy dynamic web applications, or with many commonly accessed files.

HTTP Accelerator

Pros:

  • Increase site performance by reducing CPU load on web server, through caching and compression, thereby increasing user capacity
  • Can be used as a reverse proxy load balancer
  • Some caching software can protect against DDOS attacks

Cons:

  • Requires tuning to get best performance out of it
  • If the cache-hit rate is low, it could reduce performance

Related Tutorials:

5. Master-Slave Database Replication

One way to improve performance of a database system that performs many reads compared to writes, such as a CMS, is to use master-slave database replication. Master-slave replication requires a master and one or more slave nodes. In this setup, all updates are sent to the master node and reads can be distributed across all nodes.

Use Case: Good for increasing the read performance for the database tier of an application.

Here is an example of a master-slave replication setup, with a single slave node:

Master-Slave Database Replication

Pros:

  • Improves database read performance by spreading reads across slaves
  • Can improve write performance by using master exclusively for updates (it spends no time serving read requests)

Cons:

  • The application accessing the database must have a mechanism to determine which database nodes it should send update and read requests to
  • Updates to slaves are asynchronous, so there is a chance that their contents could be out of date
  • If the master fails, no updates can be performed on the database until the issue is corrected
  • Does not have built-in failover in case of failure of master node

Related Tutorials:

Example: Combining the Concepts

It is possible to load balance the caching servers, in addition to the application servers, and use database replication in a single environment. The purpose of combining these techniques is to reap the benefits of each without introducing too many issues or complexity. Here is an example diagram of what a server environment could look like:

Load Balancer, HTTP Accelerator, and Database Replication Combined

Let’s assume that the load balancer is configured to recognize static requests (like images, css, javascript, etc.) and send those requests directly to the caching servers, and send other requests to the application servers.

Here is a description of what would happen when a user sends a requests dynamic content:

  1. The user requests dynamic content from http://example.com/ (load balancer)
  2. The load balancer sends request to app-backend
  3. app-backend reads from the database and returns requested content to load balancer
  4. The load balancer returns requested data to the user

If the user requests static content:

  1. The load balancer checks cache-backend to see if the requested content is cached (cache-hit) or not (cache-miss)
  2. If cache-hit: return the requested content to the load balancer and jump to Step 7. If cache-miss: the cache server forwards the request to app-backend, through the load balancer
  3. The load balancer forwards the request through to app-backend
  4. app-backend reads from the database then returns requested content to the load balancer
  5. The load balancer forwards the response to cache-backend
  6. cache-backend caches the content then returns it to the load balancer
  7. The load balancer returns requested data to the user

This environment still has two single points of failure (load balancer and master database server), but it provides the all of the other reliability and performance benefits that were described in each section above.

Conclusion

Now that you are familiar with some basic server setups, you should have a good idea of what kind of setup you would use for your own application(s). If you are working on improving your own environment, remember that an iterative process is best to avoid introducing too many complexities too quickly.

Let us know of any setups you recommend or would like to learn more about in the comments below!

By Mitchell Anicas

How to use KVM from the command line on Debian or Ubuntu

http://xmodulo.com/use-kvm-command-line-debian-ubuntu.html

There are different ways to manage virtual machines (VMs) running on KVM hypervisor. For example, virt-manager is a popular GUI-based front-end for VM management. However, if you would like to use KVM on a headless server, GUI-based solutions will not be ideal. In fact, you can create and manage KVM VMs purely from the command line using kvm command-line wrapper script. Alternatively, you can use virsh which is an easier-to-use command-line user interface for managing guest VMs. Underneath virsh, it communicates wtih libvirtdservice which can control several different hypervisors including KVM, Xen, QEMU, LXC and OpenVZ.

A command-line management interface such as virsh is also useful when you would like to “automate” the provisioning and management of VMs. Also, the fact that virsh supports multiple hypervisors means you can manage different hypervisors via the same virsh interface.

In this tutorial, I will demonstrate how to run KVM from the command line by using virsh on Debian or Ubuntu.

Step One: Verify Hardware Virtualization Support

As a first step, verify that the host CPU is equipped with hardware virtualization extensions (e.g., Intel VT or AMD-V), which are required for KVM. The following command will do.

$ egrep ‘(vmx|svm)’ –color /proc/cpuinfo

If the output does not contain vmx or svm flag, it means the host CPU does not have hardware virtualization support. Thus you cannot use KVM on the host. After verifying that the host CPU comes with vmx or svm, proceed to install KVM next.

For KVM, it is not required to run a 64-bit kernel on the KVM host, but generally it is recommended.

Step Two: Install KVM

Using apt-get, install KVM and related user-space tools.

$ sudo apt-get install qemu-kvm libvirt-bin

During installation, libvirtd group (or libvirt-qemu on Debian) will be created, and your userID will be automatically added to the group. This will allows you to manage VMs as a non-root regular user. You can verify that by using id command, which will show your group IDs:

$ id <your-userID>

If for some reason, libvirtd (or libvirt-qemu) is not found in your groupID list, you can manually add yourself to the group as follows.

On Ubuntu:

$ sudo adduser [youruserID] libvirtd

On Debian:

$ sudo adduser [youruserID] libvirt-qemu

Reload updated group membership info as follows. Upon asked for a password, enter your login password.

$ exec su -l $USER

At this point, you should be able to run virsh as a regular user. As a test, try the command below, which will show a list of available VMs (currently none). If you do not encounter a permission error, it means everything is okay so far.

$ virsh list
 Id    Name                           State
----------------------------------------------------

Step Three: Configure Bridged Networking

One way to enable KVM VMs to access external networks is via a Linux bridge created on a KVM host. The bridge interconnects the virtual interfaces of VMs with the physical interface of the host, so that the VMs can send or receive traffic via the physical interface. This is called bridged networking.

Here is how to create and configure a Linux bridge br0 for bridged networking with KVM.

First, install a necessary package, and create a Linux bridge from the command line.

$ sudo apt-get install bridge-utils
$ sudo brctl addbr br0

The next step is to configure Linux bridge in /etc/network/interfaces, so that the bridge is configured automatically upon boot. To use /etc/network/interfaces, you need to disable Network Manager on your system (if you are using it). Follow the this instruction to disable Network Manager.

After disabling Network Manager, go ahead and configure Linux bridge br0 in /etc/network/interfaces as follows.

#auto eth0
#iface eth0 inet dhcp

auto br0
iface br0 inet dhcp
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0

In the above I assume that eth0 is the primary network interface that is connected to external networks. Also, I assume that eth0 is getting its IP address via DHCP. Note that there is no configuration for eth0 in /etc/network/interface. The Linux bridge br0 takes up the configuration of eth0 as eth0 is enslaved to the bridge br0.

Restart network service, and verify that Linux bridge is configured successfully. If successful, br0 should be assigned the eth0’s DHCP IP address, and eth0 should not have any IP address assigned.

$ sudo /etc/init.d/networking restart
$ ifconfig

If for any reason eth0 still retains the IP address which is assigned to br0, you may have to explicitly remove the IP address from eth0.

Step Four: Create a VM from the Command Line

With KVM, the configuration of a VM is stored in a domain XML file. Thus, the first step to create a VM is to prepare its domain XML file.

The following is a sample domain XML file of a VM. You can customize it as needed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<domain type='kvm'>
  <name>alice</name>
  <uuid>f5b8c05b-9c7a-3211-49b9-2bd635f7e2aa</uuid>
  <memory>1048576</memory>
  <currentMemory>1048576</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type>hvm</type>
    <boot dev='cdrom'/>
  </os>
  <features>
    <acpi/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/bin/kvm</emulator>
    <disk type="file" device="disk">
      <driver name="qemu" type="raw"/>
      <source file="/home/dev/images/alice.img"/>
      <target dev="vda" bus="virtio"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0"/>
    </disk>
    <disk type="file" device="cdrom">
      <driver name="qemu" type="raw"/>
      <source file="/home/dev/iso/CentOS-6.5-x86_64-minimal.iso"/>
      <target dev="hdc" bus="ide"/>
      <readonly/>
      <address type="drive" controller="0" bus="1" target="0" unit="0"/>
    </disk>
    <interface type='bridge'>
      <source bridge='br0'/>
      <mac address="00:00:A3:B0:56:10"/>
    </interface>
    <controller type="ide" index="0">
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x1"/>
    </controller>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport="yes" listen='0.0.0.0'/>
    <console type='pty'>
      <target port='0'/>
    </console>
  </devices>
</domain>

The above domain XML file defines the following VM.

  • 1GB memory, one vCPU and one hard drive.
  • Disk image: /home/dev/images/alice.img.
  • Boot from CD-ROM (/home/dev/iso/CentOS-6.5-x86_64-minimal.iso).
  • Networking: one network interface bridged to br0
  • Remote access via VNC.

The UUID string inside <uuid></uuid> can be randomly generated. To get a random UUID, you can use uuidcommand-line tool.

$ sudo apt-get install uuid
$ uuid

Another way to create a domain XML file is to dump the domain information of an existing VM as follows.

$ virsh dumpxml alice > bob.xml

Step Five: Start VM from the Command Line

Before starting a VM, you need to create its initial disk image. For that, you can use qemu-img command, which comes with qemu-kvm package you installed. The following command creates 10GB size empty disk image of qcow2 type:

$ qemu-img create -f qcow2 /home/dev/images/alice.img 10G

The advantage of using “qcow2” (as opposed to “raw”) as a disk image format is that a “qcow2”-type disk image is not created as a full size (10GB) initially, but grows as the disk gets populated. So it is more space-efficient.

 

Now you are ready to start a VM using the domain XML file you created earlier. The following command will create a VM, and automatically start it.

$ virsh create alice.xml
Domain alice created from alice.xml

NOTE: If you run the above command with an already created VM, it will wipe out the VM without warning. If you already created a VM, you can instead use the following command to just start the VM.

$ virsh start alice.xml

Verify that a new domain has been created and started successfully with:

$ virsh list
 Id    Name                           State
----------------------------------------------------
 3     alice                          running

Also, verify that the virtual interface for the VM (e.g., vnet0) is successfully added to the Linux bridge br0 that you created earlier.

$ sudo brctl show

Step Six: Remote Access a VM

To access the console of a running VM remotely, you can use any VNC client.

First, find out the VNC port number for the VM as follows.

$ sudo netstat -nap | egrep ‘(kvm|qemu)’

In this example, the VNC port number for alice VM is 5900.

Then launch a VNC client, and connect to a VNC server running at <KVM-host-IP>:5900. In our example, the VM is supposed to boot into CentOS CD-ROM.

Manage VMs with virsh

The following lists common usages of virsh command.

To create a new guest domain and start a VM:

$ virsh create alice.xml

To stop a VM and destroy a guest domain:

$ virsh destroy alice

To shutdown a VM (without destroying a domain):

$ virsh shutdown alice

To suspend a VM:

$ virsh suspend alice

To resume a suspended VM:

$ virsh resume alice

To access login console of a running VM:

$ virsh console alice

To autostart a VM upon host booting:

$ virsh autostart alice

To get domain information of a VM:

$ virsh dominfo alice

To edit domain XML of a VM:

$ virsh edit alice

The above will invoke the domain XML file of the VM with a default text editor. Any change in the XML will automatically be validated by libvirt for correctness.

You can also manage VMs from within a virsh session. To create and enter a new virsh session, simply run:

$ virsh

At the virsh prompt, you can use any virsh commands.

Troubleshooting

1. I am getting the error while trying to create a VM:

error: internal error: no supported architecture for os type 'hvm'

You can get this error if your hardware does not have hardware virtualization support (e.g., Intel VT or AMD-V), which is required to run KVM. If you are getting this error even when your CPU comes with Intel VT or AMD-V, here are possible solutions:

First, check if kvm kernel module is missing.

$ lsmod | grep kvm

If kvm kernel module is not loaded, you must load it as follows.

$ sudo modprobe kvm_intel (for Intel processor)
$ sudo modprobe kvm_amd (for AMD processor)

The second solution is adding “–connect qemu:///system” argument to virsh command as follows. This argument may be needed when you are using more than one hypervisor (e.g., VMware, VirtualBox) on the server hardware.

$ virsh –connect qemu:///system create alice.xml

2. I am getting the error while trying to access login console of my VM:

$ virsh console alice
error: internal error: cannot find character device <null>

This error occurs because you did not define a console device in the VM’s XML file. Add the following inside the “device” section of the XML file.

1
2
3
<console type='pty'>
  <target port='0'/>
</console>

Fix Self-sign CA – VestaCP password driver

I have to updated the selfsigned SSL cert as following:

echo -n | openssl s_client -connect ns1.test.com:8083 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’| tee ‘/usr/local/share/ca-certificates/ns1.test.com.crt’ && update-ca-certificates

and update the password/config.inc.php to :+1:

$rcmail_config[‘password_vesta_host’] = ‘ns1.test.com’;

Ubuntu 16.04 – Configure your system to have x11vnc running at startup

http://c-nergy.be/blog/?p=8984

Today, we continue our journey into the next to come release of Ubuntu (i.e. Ubuntu 16.04) and remote desktop connections. In the previous posts, we have updated the procedure to perform a standard xrdp installation and the procedure to perform a custom xrdp installation. 

Another post that has been quite popular is the one about having the x11vnc service running at startup.  This post will provide an update of the existing post that target Ubuntu 15.04 (see Ubuntu 15.04 – Configure your system to have x11vnc running at startup). The installation process has not changed since Ubuntu 15.x.  The previous post ( Ubuntu 15.04 – Configure your system to have x11vnc running at startup) was explaining how to perform the installation step by step.

In this post, instead of repeating the same things, we have put together a quick and dirty script that can help you configuring your system with X11VNC service running at startup.

Why would you need to have the x11vnc service at startup ? Simply because we would like to be able to login from a vnc client to a remote system where no users are currently logged on or to be able to access the system remotely even if multiple reboot occurs.

So, let’s see how we can achieve this

The Script

Content of the Script

Important Note :

If you copy/paste the script, you might encounter some issues because font formatting might be not maintained during the copy/paste operation. Please ensure that format is  accurate before launching the script. At the end of the post, you can download the script…

Disclaimer : As usual, use this at your own risk !! 

# ##################################################################
# Script Name : vnc-startup.sh
# Description : Perform an automated install of X11Vnc
# Configure it to run at startup of the machine 
# Date : Feb 2016
# Written by : Griffon 
# Web Site :http://www.c-nergy.be - http://www.c-nergy.be/blog
# Version : 1.0
#
# Disclaimer : Script provided AS IS. Use it at your own risk....
#
# #################################################################
# Step 1 - Install X11VNC 
# ################################################################# 
sudo apt-get install x11vnc -y
# Step 2 - Specify Password to be used for VNC Connection 
# #################################################################
sudo x11vnc -storepasswd /etc/x11vnc.pass
# Step 3 - Create the Service Unit File
# #################################################################
cat > /lib/systemd/system/x11vnc.service << EOF
[Unit]
Description=Start x11vnc at startup.
After=multi-user.target
[Service]
Type=simple
ExecStart=/usr/bin/x11vnc -auth guess -forever -loop -noxdamage -repeat -rfbauth /etc/x11vnc.pass -rfbport 5900 -shared
[Install]
WantedBy=multi-user.target
EOF
# Step 4 -Configure the Service 
# ################################################################
echo "Configure Services"
sudo systemctl enable x11vnc.service
sudo systemctl daemon-reload
sleep 10
# Step 5 - Restart System 
# ################################################################
sudo shutdown -r now

As you can see, the script is really not to difficult.  We first install the x11vnc package. Then, we configure a vnc password to protect the access to the remote machine.  The remaining steps are creating and configuring the x11vnc service to run at startup through the systemd implementation.  At the end of the script, we reboot the machine and it’s time to check if the configuration has been performed accordingly or not.

Execute the script

To execute the script, you will need to have your system connected to internet.  This is needed because you will download some additional packages from Ubuntu Repository.

To execute this script, you will need to either copy/paste the script content into a text file on your Ubuntu machine (and please check formatting) or you can download the script from here to your Ubuntu machine.  You will need to mark the script as executable before you will be able to run it.

We will use the command line approach to perform all the necessary actions before running the script.  So, you will open a Terminal console and you type the following command

chmod +x  <%path_of_File%>/vnc-startup.sh   (adapt the path accordingly to match your system configuration)

You are ready to proceed with the automated installation of x11vnc and have it configured to run at startup.  As mentioned before, we assume that you have internet connection and you will be able to download all the necessary packages needed (x11vnc) to perform this configuration.

When you are ready, go to the folder containing the vnc-startup.sh script and you can execute the script by issuing the following command in the command prompt.

sudo ./vnc-startup.sh   

We assume that you have downloaded or created the file in the your home folder under the Download folders.  If this is not the case, browse to the location and execute the script from there.

Wait for completion of the script.  The machine will reboot automatically when done.

After the reboot, you can test your configuration by trying to connect to your ubuntu machine via the vnc client while nobody is logged into the system.

Screencast – Script Demo

We are providing hereafter also a short video demonstrating how the script works and what should be the final results. So, sit back and relax 🙂

Download Script

 

For your convenience, we are providing a downloadable version of the script. You can find it here

 

Final Notes

We have confirmed and validated that with Ubuntu 16.04, we can still have the x11vnc service running at startup which allows us to connect remotely even if no user are logged on or if reboots occur.  This configuration would also allow you to connect to the Unity desktop through xrdp (kind of). Check this post for more information.

This is it for today. Time to move on and blog about new things…

till next time

How to modify a computer’s offline registry from WINPE?

http://superuser.com/questions/636055/how-to-modify-a-computers-offline-registry-from-winpe

Load the necessary registry hives:

  • in Registry Editor (regedit), select either HKEY_LOCAL_MACHINE or HKEY_USERS, then click File → Load Hive, open the hive file, and input a temporary name for it;
  • in command line, use reg load HKLM\temp-name path-to-hive
    or reg load HKU\temp‑name path-to-hive.

The hive files are located in:

  • most of HKEY_LOCAL_MACHINE corresponds to files in %SystemRoot%\system32\config:
    • HKLM\SAM – file SAM
    • HKLM\SECURITY – file SECURITY
    • HKLM\Software – file software
    • HKLM\SYSTEM – file system
    • the special “system” user’s registry (e.g. login screen, etc.) – file default
  • each user’s personal registry (i.e. their HKEY_CURRENT_USER) is located in file NTUSER.DAT in their profile directory (e.g. C:\Users\grawity\NTUSER.DAT);
    • however, HKCU\Software\Classes is stored in the file AppData\Local\Microsoft\Windows\UsrClass.dat.

A list of currently loaded hives is at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist.

Runas command

https://technet.microsoft.com/en-us/library/cc771525(v=ws.11).aspx

Runas

Updated: April 17, 2012

Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows HPC Server 2008 R2, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2000, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Allows a user to run specific tools and programs with different permissions than the user’s current logon provides.

Runas is a command-line tool that is built into Windows Vista. To use runas at the command line, open a command prompt, type runas with the appropriate parameters, and then press ENTER.

In the user interface for Windows Vista, the Run as… command has been changed to Run as administrator. However, you should rarely have to use the Run as administrator command because Windows Vista will automatically prompt you for an administrator password when it is needed.

For examples of how this command can be used, see Examples.

runas [{/profile | /noprofile}] [/env] [{/netonly | /savecred}] [/smartcard] [/showtrustlevels] [/trustlevel] /user:<UserAccountName> "<ProgramName> <PathToProgramFile>"
Parameter Description
/profile Loads the user’s profile. This is the default. This parameter cannot be used with the /netonly parameter.
/no profile Specifies that the user’s profile is not to be loaded. This allows the application to load more quickly, but it can also cause a malfunction in some applications.
/env Specifies that the current network environment be used instead of the user’s local environment.
/netonly Indicates that the user information specified is for remote access only. This parameter cannot be used with the /profile parameter.
/savecred Indicates if the credentials have been previously saved by this user. This parameter is not available and will be ignored on Windows Vista Home or Windows Vista Starter Editions. This parameter cannot be used with the /smartcard parameter.
/smartcard Indicates whether the credentials are to be supplied from a smartcard. This parameter cannot be used with the /savecred parameter.
/showtrustlevels Displays the trust levels that can be used as arguments to /trustlevel.
/trustlevel Specifies the level of authorization at which the application is to run. Use /showtrustlevels to see the trust levels available.
/user:<UserAccountName> “<ProgramName> <PathToProgramFile> Specifies the name of the user account under which to run the program, the program name, and the path to the program file. The user account name format should be <User>@<Domain> or <Domain>\<UserAccountName>.
/? Displays help at the command prompt.
  • Enter the user’s password only when prompted.
  • It is good practice for administrators to use an account with restrictive permissions to perform routine, nonadministrative tasks, and to use an account with broader permissions only when performing specific administrative tasks. To accomplish this without logging off and back on, log on with a regular user account, and then use the runas command to run the tools that require the broader permissions.
  • The use of runas is not restricted to administrator accounts, although that is the most common use. Any user with multiple accounts can use runas to run a program, MMC console, or Control Panel item with alternate credentials.
  • If you want to use the Administrator account on your computer, for the /user: parameter, type one of the following:

    /user:<AdministratorAccountName>@<ComputerName>

    /user:<ComputerName>\<AdministratorAccountName>

  • If you want to use this command as a domain administrator, type one of the following:

    /user:<AdministratorAccountName>@<DomainName>

    /user:<DomainName>\<AdministratorAccountName>

  • With the runas command, you can run programs (*.exe), saved MMC consoles (*.msc), shortcuts to programs and saved MMC consoles, and Control Panel items. You can run them as an administrator while you are logged on to your computer as a member of another group, such as the Users or Power Users group.
  • You can use the runas command to start any program, MMC console, or Control Panel item. As long as you provide the appropriate user account and password information, the user account has the ability to log on to the computer, and the program, MMC console, or Control Panel item is available on the system and to the user account.
  • With the runas command, you can administer a server in another domain or forest (the computer from which you run a tool and the server you administer are in different domains or forests).
  • If you try to start a program, MMC console, or Control Panel item from a network location using runas, it might fail because the credentials used to connect to the shared network resource are different from the credentials used to start the program. The latter credentials may not be able to gain access to the same shared network resource.
  • Some items, such as the Printers folder and desktop items, are opened indirectly and cannot be started with the runas command.
  • If the runas command fails, the Secondary Logon service might not be running or the user account you are using might not be valid. To check the status of the Secondary Logon service, in Computer Management, click Services and Applications, and then click Services. To test the user account, try logging on to the appropriate domain using the account.

The following command starts an instance of the command prompt as an administrator on the local computer:

runas /user:<localmachinename>\administrator cmd

When prompted, type the administrator account password.

The following command starts an instance of the Computer Management snap-in using a domain administrator account called contoso\domainadmin:

runas /user:contoso\domainadmin "mmc %windir%\system32\compmgmt.msc"

When prompted, type the domain administrator account password.

The following command starts an instance of Notepad (and a file named my_file.txt) using a domain administrator account called jayj in a domain called domain.contoso.com:

runas /user:jayj@domain.contoso.com "notepad my_file.txt"

When prompted, type the domain administrator account password.

The following command starts an instance of a command prompt window, saved MMC console, Control Panel item, or program that will administer a server in another forest:

runas /netonly /user:<Domain>\<User_Name> "<Command>"

<Domain>\<User_Name> must be a user with sufficient permissions to administer the server. When prompted, type the account password.

oVirt Deployment Options

https://www.ovirt.org/download/#Fedora_RHEL_Installation_Instructions

The preferred way to install oVirt is by using your operating system’s package manager.

Experienced users can also compile from source, using the guides for the oVirt Engine andoVirt Node.

If you are new to oVirt and would like an easy way to try oVirt, download our Live versionwhere you can use oVirt on CentOS without installing it on your machine.

System Requirements

Minimum Hardware

  • 4 GB memory
  • 20 GB disk space

Optional Hardware

  • Network storage

Supported OSes (Engine)

  • Fedora 23
  • CentOS Linux 6.8 (3.6 only), 7.2
  • Red Hat Enterprise Linux 6.8 (3.6 only), 7.2
  • Scientific Linux 6.7 (3.6 only), 7.2
  • oVirt follows the Red Hat Customer Portal Browser Support Policy
  • We validate against and fully support the use of recent versions of the following “evergreen” browsers:
    • Mozilla Firefox
    • Google Chrome
    • Apple Safari
    • Microsoft Internet Explorer 11
    • Microsoft Edge
  • These are known as “evergreen” browsers because they automatically update themselves to the most recent available version.

(Optional) Mobile Client

  • Android 4.1 or above
  • Download moVirt or from play store using your device

Install oVirt using package manager

oVirt 4.0 is intended for production use and is available for the following platforms:

Our recommended method of installing oVirt is to use the pre-built packages for Fedora or a supported Enterprise Linux 7 distribution, such as CentOS Linux or Red Hat Enterprise Linux. This makes installing oVirt very easy.

Important: If you’re upgrading from a previous version, please update ovirt-release40 and verify you have the correct repositories enabled by running the following commands before upgrading with the usual procedure.
# yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm

You should also read the Release Notes for oVirt 4.0.0.